A successful exploit of this CrashDB code injection issue could allow an attacker to remotely execute arbitrary code on victim's machine. All an attacker needs is to trick the Ubuntu user into opening a maliciously booby-trapped crash file.

"The code first checks if the CrashDB field starts with { indicating the start of a Python dictionary," O'Cearbhaill explains.

"If found, Apport will call Python’s builtin eval() method with the value of the CrashDB field. eval() executes the passed data as a Python expression which leads to straightforward and reliable Python code execution."

The flawed code was introduced on 2012-08-22 in Apport revision 2464 and was initially included in release 2.6.1.

O'Cearbhaill has published the copy of his proof-of-concept (PoC) source code on GitHub.

Video Demonstration of the CrashDB Code Injection Attack

The researcher has also shared a video demonstration, showing that it is possible to gain control over the targeted Ubuntu box system using this flaw with the help of a malicious file.

O'Cearbhaill launched Gnome calculator with a simple Apport crash report file and explained that the code could be saved with the .crash extension or with any other extension that's not registered on Ubuntu.

The researcher reported the crash reporting app bug (listed as CVE-2016-9949 and a related path traversal bug as CVE-2016-9950) to the Ubuntu team, and the good news is that the team has already patched the flaw in Ubuntu on December 14 with O'Cearbhaill receiving $10,000 bounty.

Users and administrators of Ubuntu Linux desktops are strongly advised to patch their systems as soon as possible via the usual update mechanism.